Levine must demonstrate that Georgia Power, the largest subsidiary of Southern, the $11.3 billion regional utility based in Atlanta, complies with federal regulations.Her security group does that by completing security audits to make sure that the protected areas at plants and substations are indeed protected.

"We have reports documenting that the people who have access to those areas have legitimate reasons to be there," Levine says.

...

A second metric for Levine comes from a combination of readiness reviews and penetration testing.

Readiness reviews are planned events and are a key component of Georgia Power's business continuity program.The reviews assess whether employees and site security professionals at a particular facility understand that facility's threat plans and know what to do when the threat level is raised or lowered.Readiness reviews also include interviews with local managers about facility security; an audit of procedures and documentation related to security requirements; an evaluation of the facility's physical security program; and a review of its emergency action plan.

At the end of each review, Levine says, her office writes a report for the facility manager that highlights findings, best practices and recommendations.

For readiness reviews, Levine sends a pre-announced team of security professionals to do security audits of all critical facilities and operations (though she declines to list what types of facilities those are).

In addition, penetration testing attempts to breach security,procedurally, technologically or physically,to determine whether the security program is functioning as it should, she says."We may have someone try to walk through a facility without wearing a badge to see how far they can get before being challenged," Levine says."Or we may have someone see if they can talk their way around our delivery processing requirements."

Results Reports Results are reported in two ways.First is what Levine calls the "objective, scenario, outcome": Here's what Georgia Power was testing (for example, the effectiveness of visitor management personnel); here's how security tested it (use of outdated or fake identification credentials); and here's what happened."The results are reported by comparing the test outcome with the test objective, in addition to including a description of how the test was carried out," Levine says.

...

After collecting results, Levine's group tracks the physical and technical security measures at each location to ensure that they are functioning properly.Physical security measures include perimeter barriers, lighting, locking devices and key controls, and signage.Technical security measures include intrusion alarms, closed circuit television and other monitoring devices, access control and visitor management systems.

"We would want to make sure that the security folks onsite knew what to do in the event of raising the threat level or a breach of security," Levine says, "and also have a good awareness of security protocol and who they could go to if a breach did occur."

Tracking Trends Incident trends and loss trends are next on Georgia Power's metrics list.Levine says that it's critical to be able to demonstrate that a CSO's security program is a significant mitigating factor in preventing increased incidents and losses.Levine can compare incidents by quarter, year-to-year and across multiple years.She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.She follows the same process for tracking losses; she says she tracks property and monetary losses.The key, she says, is if you're not able to prevent losses, then "you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures."

Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supports,business executives, plant operators, substation engineers, customer service managers.She says her reports must contain information that is important to them, not just to security managers.Doing this, Levine says, "also enables us to educate them about things that are important from our perspective, and in that give-and-take process we're able to validate the measures that we're using."Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly.

...

Levine considers two other factors when collecting data for metrics.The first is how Georgia Power compares to other utilities.And the second is data quality.

Levine says Georgia Power collaborates on metrics reviews with other security managers from within Southern's 12 operating companies. (Besides Georgia Power, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services.Southern also owns a wireless company and a fiber optics business.)

As for data quality, Levine says that it's important to watch out for the equivalent of scorekeeping changes.She says Georgia Power recently transitioned from a 10-year-old case management system to a new system developed last year by Southern's security managers.

...

"To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system," Levine says."Otherwise, the analysis,larceny versus financial matters,would show that we'd had a crime wave at Georgia Power."And that's the last thing that Levine and her executives want to hear.

...

PHOTO OF FRANCIS D'ADDARIO BY GARY BENSON; PHOTO OF PLATE WITH COFFEE BEANS-NO PHOTO CREDIT; PHOTO OF JOHN HEDLEY BY RETO SCHLATTER; PHOTO OF MARGARET LEVINE BY SONNY WILLIAMS

ISMA member Zack Lowe, Vice President and CSO for Waste Management Inc., Margaret Levine, Corporate Security Director for Georgia Power, led efforts with the Kellogg School staff to orchestrate the curriculum and direction for this first of its kind program.

Margaret J. Levine is the former Associate Director of the Commission on Accreditation for Law Enforcement Agencies, Inc.Currently, Manager of Technical Services for the Global Security Department of Mobil Oil Corporation, Ms. Levine oversees executive protection, risk assessment, crisis management, and security for business operations in high-risk areas

In her new role, Levine will oversee all aspects of corporate security, providing strategic direction and maintaining a high level of protection and readiness for the company.

Levine came to Georgia Power from Capital One Financial Corp., where she was director of global security.At Capital One, her responsibilities included developing a workplace violence prevention policy, overseeing threat, vulnerability and risk assessments and conducting vulnerability studies.

Prior to her job at Capital One, Levine served as technical services manager for global security for Mobil Oil Corp. and as associate director of the Commission on Accreditation for Law Enforcement Agencies Inc.Earlier, she served as director of the Office on Women for the City of Alexandria, VA.

Levine holds a bachelor's degree in sociology from Washington University in St. Louis, and a master's of public administration from the University of Denver.She is a member of the International Security Management Association (ISMA) and the American Society for Industrial Security (ASIS).